Advanced Match Block Configurations

1 min read Data Protection & Compliance

Advanced Match Block Configurations

Match blocks provide conditional configuration, enabling fine-grained control over SSH access based on user, group, address, or other criteria. Properly structured match blocks implement complex security policies without multiple SSH instances.

Implement comprehensive match block rules:

# Advanced match block configurations
# Add to /etc/ssh/sshd_config

# SFTP-only users with chroot
Match Group sftp-users
    ChrootDirectory /var/sftp/%u
    ForceCommand internal-sftp
    AllowTcpForwarding no
    AllowAgentForwarding no
    PermitTunnel no
    X11Forwarding no
    PasswordAuthentication yes  # May be needed for SFTP clients

# External contractors with restrictions
Match Group contractors Address !10.0.0.0/8
    PasswordAuthentication no
    AllowTcpForwarding no
    PermitTunnel no
    X11Forwarding no
    MaxSessions 1
    ForceCommand /usr/local/bin/contractor-shell

# Administrators from office network
Match Group wheel Address 10.1.0.0/16
    PasswordAuthentication no
    AllowTcpForwarding yes
    PermitTunnel point-to-point
    X11Forwarding yes

# Database administrators with port forwarding
Match Group dbadmins
    AllowTcpForwarding yes
    PermitOpen localhost:3306 localhost:5432
    PermitTunnel no

# Git access only
Match User git
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
    PermitTTY no
    ForceCommand /usr/bin/git-shell

# Monitoring user for health checks
Match User monitor
    PasswordAuthentication no
    AllowTcpForwarding no
    PermitTunnel no
    X11Forwarding no
    MaxSessions 1
    ForceCommand /usr/local/bin/health-check

# Time-based access for temporary users
Match User temp-* Address *
    PasswordAuthentication no
    ExpiredAccount yes  # Custom PAM module checks expiration
    ForceCommand /usr/local/bin/check-temp-access